b'                         U.S. Department of Agriculture\n\n                            Office of Inspector General\n                             Financial & IT Operations\n\n\n\n\n              Audit Report\n\nFiscal Year 2004 Federal Information Security\n          Management Act Report\n\n\n\n\n                                Report No. 50501-1-FM\n                                        October 2004\n\x0c\x0cExecutive Summary\nFiscal Year 2004 Federal Information Security Management Act Report\n\nResults in Brief                     This report presents the results of our audit of the Department\xe2\x80\x99s efforts to\n                                     improve the management and security of its information technology (IT)\n                                     resources. Fieldwork for this audit was performed at the Department Office\n                                     of the Chief Information Officer (OCIO) and three selected agencies. In\n                                     addition, we included the results of (1) IT control testing performed by\n                                     contract auditors at three additional agencies, (2) our most recent application\n                                     control reviews, and (3) our general controls reviews at the Department\xe2\x80\x99s two\n                                     data centers. In total, our report is based on our reviews at 12 agencies\n                                     conducted from October 2003 through August 2004. The OCIO annually\n                                     reports on compliance with the Federal Information Security Management\n                                     Act (FISMA) as of September 30 and, in some cases such as computer\n                                     security awareness training and system certification and accreditation,\n                                     completes, or documents the completion of, a significant amount of the\n                                     required actions in the month of September. As such, the Department and its\n                                     agencies may have implemented controls or completed corrective actions\n                                     that, due to the timing of our fieldwork, may not be reflected in this report.\n\n                                     Historically, U.S. Department of Agriculture (USDA) agencies and\n                                     departmental staff offices have independently addressed their respective IT\n                                     security and infrastructure needs. This resulted in a broad array of technical\n                                     and physical solutions that did not provide assurance that Department-wide\n                                     security was obtained. The efforts of OCIO and the Office of Inspector\n                                     General (OIG) in the past few years have heightened program management\xe2\x80\x99s\n                                     awareness of the need to plan and implement effective IT security. The\n                                     Department and its agencies should be commended for their efforts during\n                                     the year toward completion of the certification and accreditation of their\n                                     systems; however, we still found significant weaknesses in the Department\xe2\x80\x99s\n                                     security program that can be attributed to management\xe2\x80\x99s lack of commitment\n                                     to implementing an effective security program within their respective\n                                     agencies. USDA management must remain involved and committed toward\n                                     implementing an effective security program within the Department. Both the\n                                     OCIO and OIG reported the lack of agency management involvement as a\n                                     material weakness in prior FISMA1 reports. This is the third year we have\n                                     reported this issue as a material weakness. Agency managers are ultimately\n                                     responsible and should be held accountable for committing the appropriate\n                                     resources to ensure compliance.\n\n                                     The Department and its agencies have made progress in addressing the lack\n                                     of compliance with the Office of Management and Budget (OMB) Circular\n                                     A-130, Appendix III, but weaknesses continue to exist. Specifically, OIG\n\n1\n    FISMA superseded the Government Information Security Reform Act that expired in November 2002.\n\nUSDA/OIG-A/50501-1-FM                                                                                        Page i\n\x0c                   found that (1) the Department was still unable to produce a reliable inventory\n                   of applications and general support systems, (2) not all documents produced\n                   through the agencies\xe2\x80\x99 certification and accreditation processes complied with\n                   OMB and other Federal requirements, and (3) a significant majority of the\n                   Department\xe2\x80\x99s applications were not certified until near the end of the fiscal\n                   year.\n\n                   Despite the Department\xe2\x80\x99s site license for vulnerability scanning software and\n                   a formal scanning policy, the agencies have not been timely in identifying\n                   and correcting known and exploitable vulnerabilities in their systems. The\n                   agencies we reviewed cited varying reasons for not performing vulnerability\n                   scans, including a lack of training and guidance on how to use the tools, and a\n                   lack of formal policies and procedures in place to periodically use the tools\n                   and mitigate the identified vulnerabilities.        As a result, significant\n                   vulnerabilities go undetected and uncorrected, increasing the risk that\n                   attackers, both internal and external, could compromise mission-critical IT\n                   resources and data.\n\n                   Further, we again identified access control weaknesses in every agency\n                   reviewed. This occurred because agencies did not have policies and\n                   procedures in place to (1) timely remove user accounts when no longer\n                   needed, (2) periodically reconcile user accounts to current employees and\n                   contractors, and (3) assign users only those permissions needed to perform\n                   their job responsibilities. We also found inadequate controls over the\n                   physical access to computer systems and critical network components in 6 of\n                   the 12 agencies reviewed. As a result, there is reduced assurance that\n                   agencies can effectively protect their mission-critical systems and data from\n                   unauthorized modification, disclosure, loss, or impairment.\n\n                   Finally, in the past several years, OCIO has strengthened its oversight of\n                   agencies\xe2\x80\x99 security programs; however, improvements could be made which\n                   would significantly strengthen the Department\xe2\x80\x99s security posture.\n                   Specifically, OCIO needs to (1) formalize its tracking system for USDA\n                   cyber security incidents to ensure timely followup and resolution, and (2)\n                   increase the number and frequency of its agency reviews. We found that\n                   OCIO\xe2\x80\x99s current method of tracking security incidents is not effective in\n                   ensuring that agencies timely and adequately followup on security incidents.\n                   Further, despite continual requests for additional resources, OCIO\n                   acknowledges that it has not had the significant resources it needs to increase\n                   its review and enforcement efforts over agencies\xe2\x80\x99 security programs. Despite\n                   its efforts over the past several years, OCIO\xe2\x80\x99s inability to strengthen its\n                   oversight and enforcement role has hindered its ability to effectively manage\n                   the Department\xe2\x80\x99s security program.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                      Page ii\n\x0cRecommendation\nIn Brief           This report presents the results of our audit work in assessing the security\n                   over the Department\xe2\x80\x99s IT resources. The recommendations we made to\n                   correct the deficiencies identified in this evaluation are made in agency\n                   reports. Therefore, we are not making additional recommendations related to\n                   those conditions in this report. We have, however, recommended that the\n                   OCIO (1) establish guidance in identifying systems within the Department\n                   and its agencies; and (2) implement a formal tracking system for cyber\n                   security incidents to ensure the timely followup, resolution, and reporting of\n                   those incidents.\n\n\nAgency Response    OCIO agreed with many of the findings and one recommendation in the\n                   report. OCIO disagreed with OIG\xe2\x80\x99s methodology of preparing this report,\n                   which uses the results of its audits conducted throughout the year without\n                   acknowledging the final set of achievements made at year-end. OCIO\n                   acknowledged that security weaknesses continue to exist, but stated that\n                   action plans are being developed to eliminate these weaknesses. Such actions\n                   will continue throughout the coming year. OCIO\xe2\x80\x99s response to the official\n                   draft has been included in its entirety as exhibit B of this report.\n\n\nOIG Position       OIG recognizes that differences will occur due to the methodologies used in\n                   preparing the two reports. However, the scope of our audit and the time\n                   needed to effectively evaluate the status of the Department\xe2\x80\x99s security\n                   program do not allow us to perform extensive audit work at fiscal year-end.\n                   OIG further recognizes that achievements were made during the last month of\n                   the fiscal year and that OCIO and the agencies have plans to continue their\n                   efforts in improving the Department\xe2\x80\x99s IT security position.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                    Page iii\n\x0cAbbreviations Used in This Report\n\n\n\nAMS            Agricultural Marketing Service\nAPHIS          Animal and Plant Health Inspection Service\nBIA            Business Impact Analysis\nCCC            Commodity Credit Corporation\nCIO            Chief Information Officer\nCSREES         Cooperative State Research Education and Extension Service\nDA             Departmental Administration\nDR             Departmental Regulation\nFIPS           Federal Information Processing Standards Publication\nFISMA          Federal Information Security Management Act\nFISCAM         Financial Information System Control Audit Manual\nFSA            Farm Service Agency\nFS             Forest Service\nFSIS           Food Safety and Inspection Service\nFY             Fiscal Year\nGAO            Government Accountability Office (formerly the General Accounting Office)\nGISRA          Government Information Security Reform Act\nGSS            General Support System\nHSPD           Homeland Security Presidential Directive\nISSPM          Information System Security Program Manager\nIT             Information Technology\nIG             Inspector General\nLAN            Local Area Networks\nNFC            National Finance Center\nNIST           National Institute of Standards and Technology\nNITC           National Information Technology Center\nNRCS           Natural Resources Conservation Service\nOCIO           Office of the Chief Information Officer\nOMB            Office of Management and Budget\nOIG            Office of Inspector General\nPED            Personal Electronic Devices\nPKI            Public Key Infrastructure\nPOA&M          Plan of Actions and Milestones\nRMA            Risk Management Agency\nSP             Special Publication\nTCP/IP         Transmission Control Protocol/Internet Protocol\nUS-CERT        United States Computer Emergencies Readiness Team\nUSDA           U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                  Page iv\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nAbbreviations Used in This Report ......................................................................................................iv\n\nBackground and Objectives ................................................................................................................... 1\n\nFindings and Recommendations............................................................................................................ 4\n\n    Section 1. Management Commitment Needed for an Effective Security Program................... 4\n\n        Finding 1             Management Involvement and Commitment is Needed to Ensure a\n                              Successful and Effective Security Program ............................................................ 4\n\n    Section 2. OMB and FISMA Compliance ..................................................................................... 7\n\n        Finding 2             Progress is Made, but Noncompliance with Federally Mandated IT Security\n                              Requirements Continues ......................................................................................... 7\n                                  Recommendation No. 1.................................................................................. 13\n        Finding 3             Agencies Are Not Vigilant in Identifying and Mitigating System\n                              Vulnerabilities ....................................................................................................... 14\n        Finding 4             Access Controls Continue to be a Significant Weakness in the Department........ 15\n        Finding 5             Improvements in OCIO\xe2\x80\x99s Oversight Role would Benefit the Department ........... 17\n                                  Recommendation No. 2.................................................................................. 20\n\nScope and Methodology........................................................................................................................ 21\n\nExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position ........................................................ 22\nExhibit B \xe2\x80\x93 OCIO\xe2\x80\x99s Response to the Draft Report............................................................................ 37\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                                                                         Page v\n\x0cBackground and Objectives\nBackground         Improving the overall management and security of information technology\n                   (IT) resources should be a top priority in the U.S. Department of Agriculture\n                   (USDA). As technology has enhanced the ability to share information\n                   instantaneously among computers and networks, it has also made\n                   organizations more vulnerable to unlawful and destructive penetration and\n                   disruption. Insiders with malicious intent, recreational and institutional\n                   hackers, and attacks by intelligence organizations of other countries are just a\n                   few of the threats that pose a risk to the Department\xe2\x80\x99s critical systems and\n                   data.\n\n                   On December 17, 2002, the President signed into law the E-Government Act\n                   (P.L. 107-347), which includes Title III, the Federal Information Security\n                   Management Act (FISMA).            FISMA permanently reauthorized the\n                   framework laid out in the Government Information Security Reform Act\n                   (GISRA) of 2000, which expired in November 2002. FISMA continues the\n                   annual review and reporting requirements introduced in GISRA. In addition,\n                   FISMA includes new provisions aimed at further strengthening the security\n                   of the Federal Government\xe2\x80\x99s information and information systems, such as\n                   the development of minimum standards for agency systems. The National\n                   Institute of Standards and Technology (NIST) has been tasked to work with\n                   agencies in the development of those standards per its statutory role in\n                   providing technical guidance to Federal agencies.\n\n                   The Act supplements information security requirements established in the\n                   Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and\n                   the Clinger-Cohen Act of 1996, and is consistent with existing information\n                   security guidance issued by the Office of Management and Budget (OMB)\n                   and NIST. Most importantly, however, the provisions consolidate these\n                   separate requirements and guidance into an overall framework for managing\n                   information security and establish new annual reviews, independent\n                   evaluation, and reporting requirements to help ensure agency implementation\n                   and both OMB and congressional oversight.\n\n                   The legislation assigned specific responsibilities to OMB, agency heads,\n                   Chief Information Officers (CIO), and Inspectors General (IG). OMB is\n                   responsible for establishing and overseeing policies, standards, and\n                   guidelines for information security. This includes the authority to approve\n                   agency information security programs. OMB is also required to submit an\n                   annual report to Congress summarizing results of agencies\xe2\x80\x99 evaluations of\n                   their information security programs.\n\n                   Each agency must establish an agency-wide risk-based information security\n                   program to be overseen by the agency CIO and ensure that information\n\n\nUSDA/OIG-A/50501-1-FM                                                                       Page 1\n\x0c                   security is practiced throughout the lifecycle of each agency system.\n                   Specifically, this program must include:\n\n                        \xe2\x80\xa2   Periodic risk assessments that consider internal and external threats\n                            to the integrity, confidentiality, and availability of systems, and to\n                            data supporting critical operations and assets;\n\n                        \xe2\x80\xa2   development and implementation of risk-based, cost-effective\n                            policies and procedures to provide security protections for\n                            information collected or maintained by or for the agency;\n\n                        \xe2\x80\xa2   training on security responsibilities for information security\n                            personnel and on security awareness for agency personnel;\n\n                        \xe2\x80\xa2   periodic management testing and evaluation of the effectiveness of\n                            policies, procedures, controls, and techniques;\n\n                        \xe2\x80\xa2   a process for      identifying   and   remediating   any   significant\n                            deficiencies;\n\n                        \xe2\x80\xa2   procedures for detecting, reporting, and responding to security\n                            incidents; and\n\n                        \xe2\x80\xa2   an annual program review by agency program officials.\n\n                   In addition to the responsibilities listed above, the Act requires each agency\n                   to have an annual independent evaluation of its information security program\n                   and practices, including control testing and compliance assessment. The\n                   evaluations are to be performed by the agency IG or an independent\n                   evaluator, and the results of these evaluations are to be reported to OMB.\n\nObjectives         The audit objective was to form a basis for conclusion regarding the status of\n                   USDA\xe2\x80\x99s overall IT Security Program by:\n\n                        \xe2\x80\xa2   Evaluating the effectiveness of the Office of the Chief Information\n                            Officer\xe2\x80\x99s (OCIO) oversight role of agency CIOs and FISMA\n                            compliance;\n\n                        \xe2\x80\xa2   determining whether agencies have maintained an adequate system\n                            of internal controls over IT assets in accordance with FISMA and\n                            other appropriate laws and regulations;\n\n                        \xe2\x80\xa2   evaluating the OCIO\xe2\x80\x99s progress in establishing a Department-wide\n                            security program;\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                      Page 2\n\x0c                        \xe2\x80\xa2   assessing the corrective action taken by selected agencies on\n                            previously identified control weaknesses; and\n\n                        \xe2\x80\xa2   evaluating the agency and OCIO\xe2\x80\x99s Plan of Actions and Milestone\n                            (POA&M) consolidation and reporting process.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                               Page 3\n\x0cFindings and Recommendations\nSection 1.   Management Commitment Needed for an Effective Security Program\n\n\n\n\nFinding 1            Management Involvement and Commitment is Needed to Ensure\n                     a Successful and Effective Security Program\n\n                     While progress has been made, we have reported for the third year in a row\n                     that agency management needs to demonstrate involvement and commitment\n                     to ensure the ultimate success of their security programs. We believe that\n                     this lack of involvement and commitment continues to be a material\n                     weakness in achieving an effective security program within the Department,\n                     and remains an impediment to ensuring that its security programs are\n                     adequately designed and properly carried out. The Department and its\n                     agencies should be commended for their efforts during the year toward\n                     completion of the certification and accreditation of its systems; however, we\n                     still found significant weaknesses in the Department\xe2\x80\x99s security program that\n                     can be attributed to management\xe2\x80\x99s lack of commitment to implementing an\n                     effective security program within their respective agencies. Specifically, they\n                     cannot ensure compliance with OMB Circular A-130 requirements (see\n                     Finding No. 2) that security vulnerabilities are timely identified and mitigated\n                     (see Finding No. 3), and that adequate physical and logical access controls\n                     are in place (see Finding No. 4). These requirements are longstanding and\n                     the lack of adherence has been reported previously by the Office of Inspector\n                     General (OIG). Agency managers are ultimately responsible and should be\n                     held accountable for committing the appropriate resources to ensure\n                     compliance.\n\n                     NIST Special Publication (SP) 800-12 states that, \xe2\x80\x9cA natural tension often\n                     exists between computer security and operational elements. In many\n                     instances, operational components \xe2\x80\x93 which tend to be far larger and therefore\n                     more influential \xe2\x80\x93 seek to resolve this tension by embedding the computer\n                     security program in computer operations. The typical result of this\n                     organizational strategy is a computer security program that lacks\n                     independence, has minimal authority, receives little management attention,\n                     and has few resources. As early as 1978, the Government Accountability\n                     Office (GAO) identified this organizational mode as one of the principal\n                     basic weaknesses in Federal agency computer security programs.\xe2\x80\x9d\n\n                     Departmental Regulation (DR) 3140-1, \xe2\x80\x9cUSDA Information System Security\n                     Policy,\xe2\x80\x9d dated May 15, 1996, states that agencies should assign the\n                     Information System Security Program Manager (ISSPM) to a level within the\n                     organization that can independently report to the appropriate program and/or\n                     departmental officials. The ISSPM must be able to assure security across the\nUSDA/OIG-A/50501-1-FM                                                                         Page 4\n\x0c                   entire agency\xe2\x80\x99s programs. Further, OMB Circular A-123, \xe2\x80\x9cManagement\n                   Accountability and Control,\xe2\x80\x9d dated June 21, 1995, requires agencies to ensure\n                   that appropriate authority, responsibility, and accountability are defined and\n                   delegated to accomplish the mission of the organization, and that an\n                   appropriate organizational structure is established to effectively carry out\n                   program responsibilities.\n\n                   During the fiscal year, the Department\xe2\x80\x99s CIO implemented a Department-\n                   wide initiative to certify and accredit all major applications and general\n                   support systems (see Finding No. 2), a major component of compliance with\n                   OMB Circular A-130, Appendix III. While this effort is far from complete,\n                   the Department\xe2\x80\x99s accomplishments in this effort might not have been\n                   obtained if left solely to the discretion of individual agency management.\n                   Despite the longstanding requirements of OMB Circular A-130, agency\n                   managers have been reluctant to comply without the guidance and emphasis\n                   of the Department\xe2\x80\x99s CIO.\n\n                   Last year we reported a common symptom of a lack of management\n                   involvement was that agency security personnel have not been given the\n                   authority needed to effectively implement and manage their agency\xe2\x80\x99s security\n                   programs. Our followup reviews in fiscal year 2004 continue to show that\n                   agency security personnel alone have not been able to ensure compliance\n                   with Federal IT security guidelines. The same weaknesses we previously\n                   reported, such as access control weaknesses and vulnerability mitigation, still\n                   existed in all 12 agencies. In addition, despite our recommendations, some\n                   agencies have not realigned their CIOs and ISSPMs within their\n                   organizations or emphasized their oversight and enforcement authority\n                   sufficient to implement the agency\xe2\x80\x99s security program. The following\n                   examples illustrate some of the continued weaknesses we identified.\n\n                        \xe2\x80\xa2   Our review at one agency found material internal control weaknesses\n                            in the area of access controls and application change controls for the\n                            second year in a row. While the agency took action to correct the\n                            specific problems we identified, it failed to address the underlying\n                            internal control weakness. Further, despite our recommendations, the\n                            agency had not taken sufficient actions to address the weaknesses we\n                            identified in its organizational structure and oversight of contractor\n                            personnel.\n\n                        \xe2\x80\xa2   The CIO for another agency lacked the authority to ensure that the\n                            agency\xe2\x80\x99s security program was operating effectively. Specifically,\n                            the CIO was unable to (1) provide us a list of users on all agency\n                            systems, (2) identify all contractors and whether or not they received\n                            security-related training, or (3) identify all staff within the agency that\n                            had significant IT security responsibilities. Further, the CIO was not\n                            aware that a POA&M had been completed for one of the agency\xe2\x80\x99s\n                            systems.\n\nUSDA/OIG-A/50501-1-FM                                                                          Page 5\n\x0c                   Unlike the other issues in this report, we do not believe the weakness in this\n                   finding can be corrected by policy or guidance issued by the Department\n                   OCIO. Only after agency managers demonstrate their commitment to\n                   ensuring compliance with OMB Circular A-130 and other federally mandated\n                   security guidelines, will an effective Department-wide security program be\n                   achieved. The issues raised in this report have been reported in specific\n                   agency reports. Therefore, we make no additional recommendations herein.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                     Page 6\n\x0cSection 2.            OMB and FISMA Compliance\n\n                                      The Department and its agencies have made significant progress toward\n                                      accomplishing compliance with OMB Circular A-130 and other federally\n                                      mandated security requirements; however, not all of the Department\xe2\x80\x99s\n                                      agencies were fully compliant. This is our fourth report in 4 years where we\n                                      have reported this weakness, and the third year that we have noted that\n                                      management involvement and commitment remains a material weakness\n                                      toward ensuring compliance and improving IT security. Management\xe2\x80\x99s\n                                      challenge is to ensure that every IT system deployed and managed by the\n                                      Department complies with major security disciplines required by Federal law\n                                      and guidance. While most agency security staffs have done what they can,\n                                      many of the issues we raised will not be corrected until agency management\n                                      commits the needed resources. The Department heavily relies on hundreds of\n                                      information systems operated within USDA to deliver its programs and meet\n                                      its missions. The weaknesses we continue to report jeopardize the\n                                      confidentiality, integrity, and availability of these resources.\n\n\n\n\nFinding 2                             Progress is Made, but Noncompliance with Federally Mandated IT\n                                      Security Requirements Continues\n\n                                      The Department and its agencies have made progress in addressing the lack\n                                      of compliance with OMB Circular A-130, Appendix III, but weaknesses\n                                      continue to exist. Specifically, we found that (1) the Department was still\n                                      unable to produce a reliable inventory of applications and general support\n                                      systems (GSS), (2) not all documents produced through the agencies\xe2\x80\x99\n                                      certification and accreditation processes complied with OMB and other\n                                      Federal requirements, and (3) a significant majority of the Department\xe2\x80\x99s\n                                      applications were not certified until near the end of the fiscal year.2 OIG\n                                      continues to identify weaknesses within the agencies and the lack of\n                                      management\xe2\x80\x99s demonstrated commitment and involvement remains a key\n                                      barrier to compliance (see Finding No. 1). Agency managers are ultimately\n                                      responsible for ensuring that their agencies comply with laws and regulations\n                                      governing IT management and security. The fact that these weaknesses have\n                                      been reported for 4 years indicates that management has not yet established\n                                      adequate controls or committed the appropriate resources to ensure\n                                      compliance. The Department and its agencies rely on their IT infrastructures\n                                      and systems to issue billions of dollars in payroll, loans, and entitlement\n                                      benefits; supply market-sensitive data on commodities to the agricultural\n                                      economy; and manage consumer protection programs. The Department\xe2\x80\x99s\n\n\n2\n  The fact that most agencies did not have certification and accreditation in place for a majority of the fiscal year makes them, as a whole, materially non-\ncomplaint with OMB A-130 for the fiscal year.\n\nUSDA/OIG-A/50501-1-FM                                                                                                                             Page 7\n\x0c                                       ability to accomplish its mission could be jeopardized if it does not properly\n                                       manage and secure its IT infrastructure.\n\n                                       The foundation for security over IT resources is found in OMB Circular A-\n                                       130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d\n                                       This Circular establishes a minimum set of controls for agencies\xe2\x80\x99 automated\n                                       information security programs, including certifying to the security of any\n                                       systems that maintain sensitive data; establishing contingency plans and\n                                       recovery procedures in the event of a disaster; providing security awareness\n                                       training to employees and contractors; and establishing a comprehensive\n                                       security plan. Homeland Security Presidential Directive (HSPD) \xe2\x80\x93 7,\n                                       \xe2\x80\x9cCritical Infrastructure Identification, Prioritization, and Protection,\xe2\x80\x9d dated\n                                       December 17, 2003, requires agencies to identify, prioritize, assess,\n                                       remediate, and protect their internal critical infrastructure and key resources.\n\n                                       In December 2002, FISMA3 permanently reauthorized the framework laid\n                                       out in the GISRA which expired in November 2002, and establishes NIST as\n                                       the authority for establishing technical guidance for the Federal Government.\n                                       OMB guidance for implementing these laws lays out a framework that\n                                       contains timeframe requirements and procedures for annual IT security\n                                       reviews, reporting, and remediation planning for Federal agencies.\n\n                                       Inventory of Applications and General Support Systems\n\n                                       The Department still does not have a reliable inventory of applications and\n                                       GSS from which to manage Department-wide IT security. The Department\n                                       relies on agencies to provide a comprehensive list of their major applications\n                                       and GSS systems; however, the OCIO has been unable to verify the accuracy\n                                       or reliability of those agency-provided inventories. As a result, the OCIO\n                                       cannot be assured that all systems are properly accredited. Further, we\n                                       question how the OCIO can properly manage a Department-wide security\n                                       program without an accurate inventory of all agency applications and GSS\n                                       systems.\n\n                                       As part of its Year 2000 conversion efforts, the Department identified a list of\n                                       mission-critical applications. OCIO officials acknowledged that this initial\n                                       list was incomplete mainly due to the lack of understanding across all\n                                       agencies of what constituted a \xe2\x80\x9csystem.\xe2\x80\x9d In fiscal year 2004, in preparation\n                                       for our nationwide audit for application controls, we selected seven systems\n                                       from the OCIO\xe2\x80\x99s list of major applications dated December 2003. Our\n                                       review disclosed that three of the seven applications we selected were\n                                       scheduled to be replaced or would no longer be used by the end of the fiscal\n                                       year, one application was in the initial stages of development and therefore\n                                       not far enough along for the certification process, and one system was an ad\n                                       hoc database containing historical data no longer used by the agency but\n\n3\n    The Electronic Government Act, Title III, signed into law December 17, 2002.\n\nUSDA/OIG-A/50501-1-FM                                                                                           Page 8\n\x0c                   \xe2\x80\x9cscheduled\xe2\x80\x9d to be brought back on-line sometime during the year. Further,\n                   we noted that between December 2003 and August 20, 2004, OCIO provided\n                   us with at least 4 different lists of systems or certification progress updates\n                   showing the total number of departmental systems ranging between 594 and\n                   460. OCIO officials acknowledged that the Department\xe2\x80\x99s inventory of\n                   systems had evolved throughout the year, and will continue to do so;\n                   however, officials informed us that through their work with the agencies\n                   during the certification and accreditation process, the current list of\n                   departmental systems represents an improvement over prior efforts.\n\n                   While we agree that OCIO\xe2\x80\x99s current list of systems provides a starting point,\n                   we believe that the errors we found support the need to have a well-\n                   established definition of \xe2\x80\x9csystem\xe2\x80\x9d and reasonable assurance that agencies are\n                   reporting their systems in accordance with that definition. Further, we\n                   believe that the OCIO needs to be fully aware of all applications and GSS\n                   that reside on the Department\xe2\x80\x99s network to ensure that agencies are in\n                   compliance with OMB and FISMA requirements, and to effectively manage\n                   its security program.\n\n                   Risk Assessments\n\n                   Agencies reviewed during fiscal year 2004 had not adequately assessed the\n                   risk to their mission-essential IT resources. OMB A-130 requires a risk-\n                   based approach to security and consistent with FISMA, HSPD \xe2\x80\x93 7 requires\n                   agencies to identify, prioritize, and coordinate the protection of critical\n                   infrastructure and key resources in order to prevent, deter, and mitigate the\n                   effects of deliberate efforts to destroy, incapacitate, or exploit them.\n                   Additionally, according to NIST SP 800-34, business impact analysis (BIA)\n                   helps to fully characterize system requirements, processes, and\n                   interdependencies and use this information to determine contingency\n                   requirements and priorities. The BIA\xe2\x80\x99s purpose is to correlate specific\n                   system components with the critical services they provide, and based on that\n                   information, to characterize the consequences of a disruption to the system\n                   components. Hence, the BIA needs to be completed to aid in the adequate\n                   completion of various certification and accreditation documents.\n\n                   One agency we reviewed performed risk assessments for only two of its\n                   seven mission-critical systems. Further, one of the two risk assessments had\n                   very little detail and followed, generically, the outline suggested in NIST\n                   guidance. The agency\xe2\x80\x99s CIO informed us that the various divisions of the\n                   agency maintained their own systems and the CIO did not have the resources\n                   or enforcement authority over those divisions to ensure compliance with\n                   Federal guidelines. Based on the results of our audit, the certification and\n                   accreditation documents produced by the agency\xe2\x80\x99s contractor were sent back\n                   for revisions.\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                      Page 9\n\x0c                   Two other agencies did not evaluate their security policies based on the\n                   identified risks, nor had they taken any actions to eliminate or otherwise\n                   mitigate the identified risks. Agency officials informed us that a different\n                   contractor prepared its risk assessments, and that agency officials did not\n                   ensure that the information was communicated to the contractor preparing the\n                   security plan.\n\n                   Security Plans\n\n                   Agencies still had not prepared all required security plans, or ensured that the\n                   plans adequately addressed all requirements of OMB Circular A-130 and\n                   other Federal security guidance. OMB requires agencies to prepare a security\n                   plan to provide an overview of the security requirements of their major\n                   applications and GSS. Security plans should define who has responsibility\n                   for system security, who has authority to access the system, appropriate limits\n                   on interconnectivity with other systems, and security training of individuals\n                   authorized to use the system.\n\n                   One of the agencies we reviewed had not completed security plans for its\n                   telecommunications network, which included its routers, firewalls, and\n                   intrusion detection system. OMB requires security plans for GSS since these\n                   systems provide interconnectivity among systems and provide the first level\n                   of security controls to protect the confidentiality, integrity, and availability of\n                   other systems. In many cases, the GSS provides the only security for non-\n                   critical applications. The agency recognized that these actions need to be\n                   completed and has identified them in its POA&Ms. Agency officials stated\n                   that meeting the requirements involves major effort and requires time and\n                   resources to comply thoroughly.\n\n                   At another agency, we found that the agency had accepted inadequate\n                   security plans from its contractor. We found that the agency had recently\n                   made significant changes to its GSS; however, the security plan provided by\n                   the contractor did not (1) reflect the current operating environment, (2)\n                   identify the system owner, or (3) identify the security officer responsible for\n                   the system. At a third agency, the security plans lacked essential information\n                   such as interconnectivity with other systems, physical security standards and\n                   enforcement, and the training requirements necessary for the users of the\n                   system.\n\n                   Until security plans are completed for all major applications and GSS, the\n                   Department cannot be assured that it has adequately addressed its security\n                   needs and that its security policies and practices have become an integral part\n                   of its operations.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                        Page 10\n\x0c                                      Contingency/Disaster Recovery\n\n                                      Agencies we reviewed had not prepared contingency and disaster recovery\n                                      plans, or ensured that their disaster recovery plans were executable. Despite\n                                      the longstanding requirement in OMB Circular A-130 that agencies prepare\n                                      and test contingency plans, agencies still have not addressed this critical step.\n                                      OMB also states that contingency plans should be tested, as untested or\n                                      outdated contingency plans create a false sense of the ability to recover in a\n                                      timely manner. NIST SP 800-12, \xe2\x80\x9cAn Introduction to Computer Security,\xe2\x80\x9d\n                                      Section 11.6, states a contingency plan should be tested periodically because\n                                      there will undoubtedly be flaws in the plan and in its implementation.\n                                      Furthermore, the plan will become dated as time passes and as the resources\n                                      used to support critical functions change. Additionally, NIST4 requires a BIA\n                                      to help fully characterize system requirements, processes, and\n                                      interdependencies and use this information to determine contingency\n                                      requirements and priorities. The BIA\xe2\x80\x99s purpose is to correlate specific\n                                      system components with the critical services they provide, and based on that\n                                      information, to characterize the consequences of a disruption to the system\n                                      components.\n\n                                      One agency had prepared a contingency plan for only one of its seven major\n                                      applications, and this plan had not been tested. Even though this agency\xe2\x80\x99s\n                                      systems affected the safety of all Department employees, the agency did not\n                                      consider disaster recovery planning a priority. Furthermore, the agency had\n                                      not planned on testing its one disaster recovery plan because it believed that\n                                      the Department\xe2\x80\x99s CIO was responsible for conducting this testing.\n\n                                      Our review of one major application contingency plan at another agency\n                                      found that the agency had begun to identify and prioritize critical data and\n                                      operations, determine the resources needed to support those operations, and\n                                      establish emergency priorities. However, we found that the agency\xe2\x80\x99s staff\n                                      had not been trained in how to implement the contingency plan in the event\n                                      of an emergency. Further, the contingency plan we reviewed was still under\n                                      development because the BIAs had not been finalized and reviewed by\n                                      management.\n\n                                      Three agencies did not have disaster recovery plans in place that were\n                                      sufficiently comprehensive to ensure adequate recovery of their applications\n                                      in the event of a major disruption. Agency officials indicated that they were\n                                      relying on the certification and accreditation process to ensure that their\n                                      contingency and disaster recovery plans were adequately tested.\n\n                                      Without effective, executable plans for the Department\xe2\x80\x99s major applications\n                                      and GSS, it cannot be assured that it will be able to continue delivery of its\n                                      programs and meet its missions. Department CIO officials informed us that\n\n4\n    NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for Information Technology Systems,\xe2\x80\x9d dated June 2002.\n\nUSDA/OIG-A/50501-1-FM                                                                                         Page 11\n\x0c                                  they are planning an initiative to assist agencies in the preparation and testing\n                                  of contingency and disaster recovery plans.\n\n                                  System Certification, Accreditation, and Authorization\n\n                                  At the time of our fieldwork, the agencies we reviewed had not completed\n                                  system certifications and accreditations on their major applications or GSS.\n                                  Agencies\xe2\x80\x99 officials have informed us that they are completing the\n                                  certifications in accordance with the Department\xe2\x80\x99s directives and intend to\n                                  have this process completed by September 30, 2004.5 This process, required\n                                  by OMB Circular A-130 and emphasized in NIST SP 800-37,6 requires\n                                  agencies to (1) document significant security controls within the system, (2)\n                                  perform an independent accreditation of the effectiveness of those controls,\n                                  and (3) formally approve, with signature authority by program management,\n                                  use of the system in the production environment. Despite the longstanding\n                                  requirement by OMB to complete this certification and accreditation process\n                                  prior to system implementation, the requirement has been largely ignored and\n                                  not enforced. Department CIO officials have informed us that they are\n                                  committed to ensuring that the certification and accreditation process is fully\n                                  implemented into every agency\xe2\x80\x99s system development lifecycle process.\n\n                                  Security Awareness and Training\n\n                                  We found that agencies had processes and resources in place to provide their\n                                  employees with security awareness training, and that system and network\n                                  administrators have a means to acquire specialized training relating to their\n                                  responsibilities; however, they had not established adequate controls to\n                                  ensure all employees received the necessary training. OMB Circular A-130\n                                  requires agencies to ensure that all individuals are appropriately trained in\n                                  how to fulfill their security responsibilities before allowing them access to the\n                                  system, and that persons with significant responsibilities over systems be\n                                  provided training commensurate with their responsibilities. Further, DR-\n                                  3140-1 states agency security programs are to ensure that all employees and\n                                  contractors receive annual security awareness training. While all agencies we\n                                  reviewed had offered some type of training related to security, the agencies\n                                  did not ensure that every employee received the training. For example:\n\n                                       \xe2\x80\xa2    In one agency, we found that only about 51 percent of the employees\n                                            took security awareness training. Additionally, the agency could not\n                                            provide an up-to-date listing of contractors, contractor training, or\n                                            contractor background checks because no controls had been put into\n                                            place to track these individuals.\n\n\n\n5\n OCIO Officials have revised the target date for completing certification and accreditation to the end of calendar year 2004.\n6\n NIST SP 800-37, dated May 2004, replaced Federal Information Processing Standards Publication (FIPS) 102, \xe2\x80\x9cGuidelines for Computer Security\nCertification and Accreditation,\xe2\x80\x9d dated September 27, 1983. FIPS 102 discusses these issues in Sections 1.5.2, 2.7, and 2.7.3.\n\nUSDA/OIG-A/50501-1-FM                                                                                                            Page 12\n\x0c                        \xe2\x80\xa2   Another agency provided a list of 351 system administrators, but\n                            could produce documentary support that only 65 had received\n                            specialized training relating to their responsibilities. While the\n                            agency recognized the need for specialized training for its system\n                            administrators, the agency made the training voluntary rather than\n                            mandatory.\n\n                   The Department established an enterprise-wide security awareness-training\n                   program through which all agencies have participated. This system allows\n                   agencies to track those individuals that have received the required training.\n                   Since most agencies within the Department emphasize the need for this\n                   training toward the end of the fiscal year we have not validated whether all\n                   agencies have completed this training for the current year.\n\n                   Despite the significant emphasis placed on certification and accreditation, the\n                   Department and its agencies still have significant progress to make before it\n                   has fully complied with OMB and other Federal IT security requirements. It\n                   is OIG\xe2\x80\x99s opinion that the progress made to date would not have occurred\n                   without the commitment of the Department\xe2\x80\x99s OCIO. However, as reported\n                   elsewhere in this report, agencies are ultimately responsible for the security\n                   and management of their IT resources, and agency management needs to\n                   ensure compliance with laws and regulations through the commitment of the\n                   necessary resources.\n\n                   Most of the issues we raised have been reported in agency-specific reports\n                   and therefore we make no additional recommendations on those issues.\n                   However, to better determine the total number of systems within the\n                   Department, we are recommending that the OCIO, in consultation with the\n                   agencies, define \xe2\x80\x9csystem\xe2\x80\x9d for the Department and ensure that agencies report\n                   and track systems under their control.\n\nRecommendation No. 1\n\n                   The OCIO should establish guidance in identifying systems within the\n                   Department and its agencies.\n\n                   Agency Response. OCIO stated that it challenged agencies, during the\n                   fiscal year\xe2\x80\x99s certification and accreditation effort, to develop sound\n                   inventories of their systems. Throughout the certification and accreditation\n                   effort, adjustments to systems inventory occurred due to contract expertise\n                   establishing the appropriate scope for testing, as well as combining like\n                   systems and elimination of others that have been or soon will be replaced.\n                   OCIO stated that this constant attention throughout the year has resulted in a\n                   sound listing of all USDA major and non-major applications and general\n                   support systems. OCIO expects the systems inventory to be a baseline and\n                   not static.\n\n\nUSDA/OIG-A/50501-1-FM                                                                    Page 13\n\x0c                                        OIG Position. OIG recognizes that an inventory of systems is not static and\n                                        will change as new systems are developed and old ones are no longer needed.\n                                        However, defining and inventorying systems has been a problem within\n                                        USDA since its initial effort during the year 2000 conversion process.\n                                        OMB\xe2\x80\x99s definition of a system in Circular A-130, Appendix III, has been\n                                        broadly interpreted and not consistently applied within the agencies of the\n                                        Department. Without clear and definite guidance from OCIO, the agencies\n                                        will continue to inconsistently apply the definition of a system and make the\n                                        Department\xe2\x80\x99s inventory of systems only marginally effective in managing the\n                                        Department\xe2\x80\x99s security program. In order to reach management decision, the\n                                        OCIO must provide us with how it will ensure that the Department and its\n                                        agencies will consistently apply OMB\xe2\x80\x99s definition of a system and ensure\n                                        compliance by the agencies.\n\n\n\n\nFinding 3                               Agencies Are Not Vigilant in Identifying and Mitigating System\n                                        Vulnerabilities\n\n                                        Despite the Department\xe2\x80\x99s site license for vulnerability scanning software and\n                                        a formal scanning policy, the agencies have not been identifying and\n                                        correcting known and exploitable vulnerabilities in their systems in a timely\n                                        manner. The agencies we reviewed cited varying reasons for not performing\n                                        vulnerability scans, including a lack of training and guidance on how to use\n                                        the tools, and had no formal policies and procedures in place to periodically\n                                        use the tools and mitigate the identified vulnerabilities. As a result,\n                                        significant vulnerabilities go undetected and/or uncorrected, increasing the\n                                        risk that attackers, both internal and external, could compromise mission-\n                                        critical IT resources and data.\n\n                                        OMB Circular A-130 requires agencies to assess the vulnerability of\n                                        information system assets, identify threats, quantify the potential losses from\n                                        threat realization, and develop countermeasures to eliminate or reduce the\n                                        threat or amount of potential loss. Departmental guidance requires agencies\n                                        to keep an inventory of their network, to perform monthly network scans, and\n                                        to develop and implement corrective action plans to address critical\n                                        vulnerabilities.    In addition, DR-3140 establishes policies to ensure\n                                        comprehensive security programs are in place to safeguard all information IT\n                                        resources.\n\n                                        Eleven of the twelve7 agencies we reviewed had failed to establish effective\n                                        controls to identify and mitigate vulnerabilities in their systems as required\n                                        by Department policy in a timely manner. In 2001, the Department, based\n                                        on our audit results, purchased a Department-wide license for a commercially\n\n7\n    One agency had established effective controls over its own scanning process.\n\nUSDA/OIG-A/50501-1-FM                                                                                         Page 14\n\x0c                                     available vulnerability scanning software tool.          The tool identifies\n                                     vulnerabilities exploitable in operating systems that use Transfer Control\n                                     Protocol/Internet Protocol, the protocol used on the global Internet, and\n                                     categorizes vulnerabilities into high, medium, and low-risk.8 Some agencies\n                                     we reviewed scanned their systems once every few months but not on a\n                                     consistent basis, other agencies scanned their systems using one of the\n                                     software\xe2\x80\x99s built-in policies that does not identify all known vulnerabilities\n                                     that can be exploited by attackers, and other agencies failed to scan critical\n                                     components of their networks such as their routers and firewalls.\n\n                                     As we reported last year as well, many of the vulnerabilities we discovered\n                                     were not caused by poorly written software or the operating system, but\n                                     rather carelessness by agency personnel to assign strong passwords to system\n                                     accounts, or failure to properly configure systems settings to ensure secure\n                                     operations. For instance, at one agency we found nearly 50 high and\n                                     medium-risk vulnerabilities on one server alone. We later found that the IT\n                                     staff had connected a development system to the production network that had\n                                     not been properly configured or \xe2\x80\x9chardened.\xe2\x80\x9d\n\n                                     The issues raised in this report have been reported to the Department\xe2\x80\x99s OCIO\n                                     and in specific agency reports. Therefore, we make no additional\n                                     recommendations herein.\n\n\n\n\nFinding 4                            Access Controls Continue to be a Significant Weakness in the\n                                     Department\n\n                                     We again identified access control weaknesses in every agency reviewed.\n                                     This occurred because agencies did not have policies and procedures in place\n                                     to (1) remove user accounts when no longer needed in a timely manner, (2)\n                                     periodically reconcile user accounts to current employees and contractors,\n                                     and (3) assign users only those permissions needed to perform their job\n                                     responsibilities. We also found inadequate controls over the physical access\n                                     to computer systems and critical network components in 6 of the 12 agencies\n                                     reviewed. As a result, there is reduced assurance that agencies can\n                                     effectively protect their mission-critical systems and data from unauthorized\n                                     modification, disclosure, loss, or impairment.\n\n                                     NIST SP 800-12, \xe2\x80\x9cIntroduction to Computer Security,\xe2\x80\x9d states that effective\n                                     administration of users\' computer access is essential to maintaining system\n                                     security. User account management focuses on identification, authentication,\n\n8\n  High-risk vulnerabilities are security issues that allow immediate remote or local access, or immediate execution of code or commands with unauthorized\nprivileges. Medium-risk vulnerabilities are security issues that have the potential of granting access or allowing code execution by means of complex or\nlengthy exploit procedures. Low-risk vulnerabilities are security issues that deny service or provide non-system information that could be used to\nformulate structured attacks on a target, but not directly gain unauthorized access.\n\nUSDA/OIG-A/50501-1-FM                                                                                                                        Page 15\n\x0c                   and access authorizations. The process of auditing and otherwise periodically\n                   verifying the legitimacy of current accounts and access authorizations\n                   augments this. Finally, system administrators should timely modify or\n                   remove access for employees who are reassigned, promoted, or terminated or\n                   who retire. Both OMB and NIST require physical access controls that restrict\n                   the entry and exit of personnel from the area, such as the office building,\n                   suite, data center, or room containing a local area network (LAN) server.\n                   Physical access controls guard against theft, disablement, or other modification\n                   of network hardware that could lead to the loss of critical data that reside on\n                   that hardware. Physical access controls (such as locked server room doors)\n                   ensure that only authorized personnel can physically handle and perform\n                   maintenance on network servers and other critical network hardware.\n\n                   Physical Access\n\n                   We found physical access control weaknesses in 6 of the 12 agencies reviewed.\n                   At one agency, we found an inadequate process was in place to reconcile\n                   computer room access records maintained by the Office of Operations with\n                   agency records. According to Office of Operation access records, 70 people\n                   had physical access to the room where critical systems were located. Agency\n                   records indicated only 24 individuals had authorized access to the computer\n                   facility, and 8 of those 24 individuals were no longer employed by the\n                   agency. Additionally, agency personnel were unable to identify 48 of the 70\n                   people shown by the Office of Operations to have access to the agency\n                   computer room.\n\n                   Another agency, which conducts oversight reviews of private-sector\n                   companies, allowed its computer systems to be left unattended for long\n                   periods of time in unsecured places.       This allowed unauthorized users,\n                   including persons subject to the agency\xe2\x80\x99s oversight, to access these systems\n                   and potentially modify application data without being detected.\n\n                   Logical Access\n\n                   In all of the 12 agencies reviewed, we identified logical access control\n                   weaknesses. The agencies did not have formal procedures established to\n                   timely remove users that no longer needed access to their systems, or ensure\n                   that access is restricted to data that employees need to perform their job\n                   functions. Logical access controls such as user names, passwords, and\n                   access permissions ensure that only authorized users have access to network\n                   resources from across the network, and that users are granted only the access\n                   that is needed to conduct their job responsibilities. In today\xe2\x80\x99s global network\n                   environment, strong access controls help ensure that malicious users, both\n                   internal and external to the agency\xe2\x80\x99s network, do not gain access to critical\n                   data. The following describes some of the logical access control weaknesses\n                   identified.\n\n\nUSDA/OIG-A/50501-1-FM                                                                     Page 16\n\x0c                        \xe2\x80\xa2   We found that one agency (1) had not configured its systems to limit\n                            access to sensitive files to only authorized users, (2) was allowing the\n                            use of generic user accounts, which hinders the agency\xe2\x80\x99s ability to\n                            hold users accountable for their actions, (3) had not configured the\n                            system to expire users\xe2\x80\x99 passwords in accordance with Department\n                            regulations, (4) granted administrative privileges to an excessive\n                            number of users, some of which conflicted with their job\n                            responsibilities, and (5) stored critical account passwords in a central\n                            file that was accessible by at least six agency personnel that did not\n                            need access to these passwords to perform their job functions.\n\n                        \xe2\x80\xa2   At five agencies, our review of user access permissions to data were\n                            inconsistent with their job responsibilities. In one application, the\n                            agency programmed its application to allow access to data based on\n                            one of six different user profiles, which limited the user to certain\n                            data-input screens in the application. However, this was not sufficient\n                            to limit access based on job function. For instance, all users in the\n                            agency\xe2\x80\x99s district offices, from the office supervisor to administrative\n                            support personnel, had access to add or modify data in the application.\n                            In another application, approximately 47 agency personnel had access\n                            to the application. Of those 47, 36 had administrative access,\n                            allowing complete control to add, modify, or delete the data in the\n                            application. During our fieldwork, the agency recognized that not all\n                            36 persons needed this level of access and reduced it to only 9 users.\n\n                   The issues raised in this report have been reported to the Department\xe2\x80\x99s OCIO\n                   and in specific agency reports. Therefore, we make no additional\n                   recommendations herein.\n\n\n\n\nFinding 5          Improvements in OCIO\xe2\x80\x99s Oversight Role would Benefit the\n                   Department\n\n                   In the past several years, OCIO has strengthened its oversight of agencies\xe2\x80\x99\n                   security programs; however, improvements could be made which would\n                   significantly strengthen the Department\xe2\x80\x99s security posture. Specifically,\n                   OCIO needs to (1) formalize its tracking system for USDA cyber security\n                   incidents to ensure timely followup and resolution, and (2) increase the\n                   number and frequency of its own agency reviews. Despite its efforts over the\n                   past several years, OCIO\xe2\x80\x99s inability to strengthen its oversight and\n                   enforcement role has hindered its ability to effectively manage the\n                   Department\xe2\x80\x99s security program.\n\n                   The Clinger-Cohen Act requires the head of executive agencies to ensure that\n                   the information security policies, procedures, and practices of the executive\nUSDA/OIG-A/50501-1-FM                                                                      Page 17\n\x0c                   agency are adequate. The Act established the CIO in the Department and\n                   requires it to monitor the performance of USDA\xe2\x80\x99s IT programs. In addition,\n                   FISMA requires the CIO to (1) ensure that the Department effectively\n                   implements and maintains information security policies, procedures, and\n                   control techniques; (2) evaluate the effectiveness of the information security\n                   program, by periodically testing and evaluating information security controls\n                   and techniques; and (3) implement appropriate remedial actions based on that\n                   evaluation. Finally, FISMA also requires the Department to report to OMB\n                   and Congress on the results of the above tests and evaluations, and the\n                   progress of remedial actions.\n\n                   Tracking of Cyber Security Incidents\n\n                   For the past 4 years, OCIO has been operating the Department\xe2\x80\x99s intrusion\n                   detection system that alerts OCIO officials to potentially threatening or\n                   destructive intrusions to the Department\xe2\x80\x99s networks and systems. This\n                   process has served the Department well by identifying the presence of\n                   Internet worms, use of software to download copyright or inappropriate\n                   materials, and potential hacking attempts on critical systems. However,\n                   despite our prior recommendation, the Department\xe2\x80\x99s OCIO has not\n                   formalized its tracking of cyber-related incidents.\n\n                   As the OCIO identified potential threats, OCIO personnel reacted by\n                   informing the affected agency of the incident. OCIO\xe2\x80\x99s policy requires that\n                   the agency prepare and submit an incident report which describes the nature\n                   of the incident and what actions were taken to correct the effects of the\n                   incident. Our review showed that OCIO, while timely communicating\n                   potential threats to agency personnel, was not ensuring that the agency\n                   responded quickly to the incident or timely prepared an incident report. Our\n                   review shows that only if the Department\xe2\x80\x99s intrusion detection system\n                   detected a repeat instance of the threat did the OCIO quickly initiate followup\n                   with the agency.\n\n                   The Department identified 179 security incidents during the fiscal year\n                   through August 20, 2004. As shown in the chart below, incidents were not\n                   always closed by the agencies in a timely manner.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                    Page 18\n\x0c                                            Status of Incidents\n\n\n\n\n                                                                    34%\n                                        45%\n\n\n\n\n                                                              21%\n\n\n                                    Closed 0 - 30 days after incident\n                                    Closed 30 - 90 days after incident\n                                    Closed > 90 days or unresolved > 90 days\n\n\n\n                   Despite our prior recommendation to implement a formal incident tracking\n                   system, the OCIO has tracked cyber security incidents by using one OCIO\n                   employee\xe2\x80\x99s e-mail. While this tracking method may be conducive to\n                   communicating incidents with agency personnel, it is not an effective method\n                   to track the timely followup, resolution, and reporting by the agencies.\n\n                   Increasing Agency Reviews\n\n                   In the past few years, OCIO has decreased the number of its own reviews of\n                   agencies\xe2\x80\x99 security programs. With limited resources, the OCIO has directed\n                   its efforts toward issuing policy and initiating Department-wide efforts such\n                   as the certification and accreditation process. While these activities are\n                   critical components of OCIO\xe2\x80\x99s oversight role, we believe that the lack of\n                   OCIO\xe2\x80\x99s onsite presence has contributed, in part, to agencies not:\n\n                        \xe2\x80\xa2   Preparing security planning documentation and implementing security\n                            policies;\n                        \xe2\x80\xa2   implementing effective vulnerability scanning and mitigation efforts;\n                        \xe2\x80\xa2   enforcing access control policies;\n                        \xe2\x80\xa2   deploying patch management software; and\n                        \xe2\x80\xa2   preparing timely, complete, and supportable capital planning and\n                            investment control documentation.\n\n                   While OIG has played a significant role in identifying these issues, OIG can\n                   only provide periodic independent assessments of agency operations.\n                   Ultimately it is each agency\xe2\x80\x99s and the Department\xe2\x80\x99s management\xe2\x80\x99s\n                   responsibility for ensuring that internal controls, including information\n                   security controls, are adequate and effectively implemented on an ongoing\n                   basis. We believe that OCIO needs to increase its own reviews of agency\n\n\nUSDA/OIG-A/50501-1-FM                                                                    Page 19\n\x0c                   operations to effectively oversee and administer the Department\xe2\x80\x99s overall\n                   security program.\n\nRecommendation No. 2\n\n                   OCIO should implement a formal tracking system for cyber security\n                   incidents to ensure timely followup, resolution, and reporting.\n\n                   Agency Response. OCIO concurred with this recommendation and has\n                   taken the necessary steps to procure and deploy a commercial off the shelf\n                   package for tracking cyber security incidents. This new tracking system will\n                   replace the one currently in use in the Department and will permit an\n                   effective method to track the timely followup, resolution and reporting by the\n                   agencies and the Department. The new tracking system will be implemented\n                   no later than October 30, 2004.\n\n                   OIG Response. We concur with OCIO\xe2\x80\x99s management decision.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                   Page 20\n\x0cScope and Methodology\n                                 The scope of our review was Department-wide and agency audits relating to IT\n                                 completed during fiscal year 2004 through August 31, 2004. We conducted this\n                                 audit in accordance with Government Auditing Standards.\n\n                                 Fieldwork for this audit was performed at the Department OCIO and three\n                                 selected agencies from June to August 2004. In addition, the results of IT\n                                 control testing and compliance with laws and regulations performed by contract\n                                 auditors at three additional agencies are included in this report. Further, the\n                                 results of our most recent general control and application control reviews were\n                                 considered and incorporated into this report. In total, our fiscal year 2004 audit\n                                 work covered 12 agencies and staff offices, which operate approximately 229 of\n                                 the estimated 4609 general support and major application systems within the\n                                 Department.\n\n                                 To accomplish our audit objectives, we performed the following procedures:\n\n                                      \xe2\x80\xa2     Consolidated the results and issues from our prior IT security audit work.\n                                            Our audit work consisted primarily of audit procedures found in the\n                                            GAO Financial Information System Control Audit Manual (FISCAM),\n\n                                      \xe2\x80\xa2     evaluated OCIO\xe2\x80\x99s progress in implementing recommendations to correct\n                                            material weaknesses in prior OIG and GAO audit reports, and\n\n                                      \xe2\x80\xa2     gathered the necessary information to address the specific reporting\n                                            requirements outlined in OMB\xe2\x80\x99s Memorandum No. M-04-25, dated\n                                            August 23, 2004.\n\n\n\n\n9\n  The total number of systems within the Department is based on OCIO\xe2\x80\x99s Certification and Accreditation update spreadsheet dated August 20, 2004. As\npresented in Finding No. 2, OCIO\xe2\x80\x99s data is agency-supplied and not verified or audited. Therefore we have no assurance that these figures are accurate.\nThe number of systems in the 12 agencies in our review is based on independent auditor verification and may not be consistent with the number of systems\nreported by OCIO for Certification and Accreditation purposes.\n\nUSDA/OIG-A/50501-1-FM                                                                                                                       Page 21\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                                                           Exhibit A \xe2\x80\x93 Page 1 of 15\n\n\nSection A: System Inventory and IT Security Performance\nA.1.        By bureau (or major agency operating component), identify the total number of programs and systems in the agency and the\n            total number of contractor operations or facilities. The agency CIOs and IG\'s shall each identify the total number that they\n            reviewed as part of this evaluation in FY04. NIST 800-26, is to be used as guidance for these reviews.\n\nA.1.a.      FY04 Programs\n            There are approximately 26 agency and staff offices within the US Department of Agriculture. The\n            agencies we reviewed, total number of systems identified in each of those agencies, and the number of\n            systems we selected for review are shown in section A.1.b.\n\nA.1.c.      FY04 Contractor Operations or Facilities\n            Out of the 12 agencies we reviewed, we identified one agency that used three contractors and one\n            subcontractor to support a major Department application that has not been certified and accredited. The\n            application contractor developed and maintains the application. The facility contractor stores agency-\n            owned servers and other hardware on its property in a secure and protected room. The hardware\n            maintenance contractor provides maintenance functions for hardware switch configuration and supports the\n            firewalls used to protect the application. The firewall subcontractor manages the firewall and intrusion\n            detection systems.\n\nA.2.        For each part of this question, identify actual performance in FY04 for the total number of systems by bureau (or major\n            agency operating component) in the format provided below.\n                                      A.1.                                                    A.2.\n                                                                         A.2.b.              A.2.c.\n                                                                 Number of systems         Number of\n                                                      A.2.a.        with security      systems for which     A.2.d.           A.2.e.\n                                                    Number of        control costs      security controls  Number of        Number of\n                                                     systems     integrated into the    have been tested systems with a systems for which\n                                   A.1.b.          certified and   life cycle of the    and evaluated in contingency contingency plans\n         Bureau Name           FY 04 Systems        accredited          system.           the last year       plan       have been tested\n                             Total #10 # Rev.11       Total #           Total #              Total #           Total #            Total #\n1. AMS                         15            1           0                  -                   0                 -                  -\n2. APHIS                        36           1           0                  -                   -                 -                  -\n3. CCC                         --12          7           0                 0                    0                0                   0\n4. CSREES                        4           1           1                  -                   0                0                   0\n5. DA                            7           1           1                 1                    2                1                   0\n6. FSA                          26           3           0                 0                    0                1                   0\n7. FSIS                         12           1           0                 0                    0                0                   0\n8. FS                           66           29          7                 66                   0                15                  0\n9. NFC                          30            6          0                  -                   -                 -                  -\n10. NITC                        11           4           0                  -                   -                1                   1\n11. NRCS                         3           2           0                 0                    0                0                   0\n12. RMA                         19           3           0                  -                   -                 -                  -\n                    Totals     229           59          9                 67                   2                18                  1\nNote 1: Dashes indicate that the information was not within the scope of our review.\nNote 2: OIG-reported totals will differ from OCIO-reported totals due to the sampling of agencies we reviewed and to the timing of our\nfieldwork.\n\n\n\n10\n   Based on independent auditor verification and may not be consistent with the number of systems reported by OCIO.\n11\n   Reviews conducted from October 1, 2003 through August 31, 2004.\n12\n   See FSA for total number of systems.\n\nUSDA/OIG-A/50501-1-FM                                                                                                                       Page 22\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                 Exhibit A \xe2\x80\x93 Page 2 of 15\n\nA.3.   Evaluate the degree to which the following statements reflect the status in your agency, by\n       choosing from the responses provided in the drop down menu.              If appropriate or\n       necessary, include comments in the Comment area provided below.\n\n       a. Agency program officials and the agency CIO have used appropriate methods to\n          ensure that contractor provided services or services provided by another agency for\n          their program and systems are adequately secure and meet the requirements of\n          FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n          USDA has employed contractors in many aspects of its system operations. Contractors are\n          used for network administration, system development, and as system administrators. In\n          conducting our agency reviews, testing of contractor operations has been limited to access\n          controls, security clearances, security awareness training, and oversight by the agencies of\n          contractor activities. Based on our reviews, we do not believe the agencies have adequately\n          employed methods to ensure that contractor provided services meet the requirements of the\n          Security Act, OMB, and NIST guidelines. However, to the extent that agencies use the\n          Department\xe2\x80\x99s centralized data centers, our reviews help ensure that those centers take the\n          necessary actions to meet the requirements of the Security Act, OMB, and NIST guidelines.\n\n       b. The reviews of programs, systems, and contractor operations or facilities, identified\n          above, were conducted using the NIST self-assessment guide, 800-26.\n\n          Agencies primarily use OIG audits to identify weaknesses in their management and\n          oversight of contractors. Agencies also rely on our reviews of the Department\xe2\x80\x99s centralized\n          data centers to ensure that the Security Act, OMB, and NIST guidelines are followed by\n          those centers. Under FISMA, agencies use the NIST self-assessment guide to identify\n          those areas where they are not compliant with federally mandated guidelines.\n\n       c. In instances where the NIST self-assessment guide was not used to conduct reviews,\n          the alternative methodology used addressed all elements of the NIST guide.\n\n          For conducting FISMA self-assessments, we found that the Department and its agencies\n          generally follow NIST Special Publication 800-26, however as we reported in Finding No.\n          2, not all agencies have followed NIST guidance when preparing security plans, risk\n          assessments, and disaster recovery plans.\n\n       d. The agency maintains an inventory of major IT systems and this inventory is updated\n          at least annually.\n\n          The Department does not have a reliable inventory of applications and general support\n          systems from which to manage Department-wide IT security. The Department relies on\n\n\nUSDA/OIG-A/50501-1-FM                                                                          Page 23\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                 Exhibit A \xe2\x80\x93 Page 3 of 15\n\n        agencies to provide a comprehensive list; however, with limited resources, OCIO is unable\n        to verify the accuracy or reliability of those agency-provided inventories. (See Finding No.\n        2.)\n\n     e. The OIG was included in the development and verification of the agency\xe2\x80\x99s IT system\n        inventory.\n\n        OIG was not involved in the development and verification of agency IT system inventory.\n\n     f. The OIG and the CIO agree on the total number of programs, systems, and contractor\n        operations or facilities.\n\n        While we agree that OCIO\xe2\x80\x99s current list of major applications provides a starting point, we\n        believe that the errors we found (See Finding No. 2) support the need to have a well-\n        established definition of a system and ensure that agencies are reporting their systems in\n        accordance with that definition. Further, we believe that the OCIO needs to be fully aware\n        of all applications and general support systems that reside on the Department\xe2\x80\x99s network to\n        ensure that agencies are in compliance with OMB and FISMA requirements, and to\n        effectively manage the Department\xe2\x80\x99s security program. For example, in preparation of our\n        FY 2004 nationwide audit of application controls, we selected seven systems from the\n        OCIO\xe2\x80\x99s list of major applications dated December 2003. Our review disclosed that three of\n        the seven applications we selected were scheduled to be replaced or no longer used by the\n        end of the fiscal year, one application was in the initial stages of development and therefore\n        not far enough along for the certification process, and one system was an ad-hoc database\n        containing historical data no longer used by the agency but \xe2\x80\x9cscheduled\xe2\x80\x9d to be brought back\n        on-line sometime during the year. Further, we noted that between December 2003 and\n        August 20, 2004, OCIO provided us with at least four different lists of systems or\n        certification progress updates showing the total number of departmental systems ranging\n        between 594 and 460.\n\n     g. The agency CIO reviews and concurs with the major IT investment decisions of\n        bureaus (or major operating components) within the agency.\n\n        The Department has a comprehensive Capital Planning and Investment Control process in\n        place where each agency submits major IT investment information for review and approval\n        by the Department\xe2\x80\x99s CIO.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                          Page 24\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                                                     Exhibit A \xe2\x80\x93 Page 4 of 15\n\n            h. The agency has begun to assess systems for e-authentication risk.\n\n                While the Department has begun to use e-authentication on its systems13 and has issued\n                guidance regarding the use of Public Key Infrastructure (PKI) technology,14 OIG has only\n                performed limited e-authentication system assessments during our reviews. We have plans\n                to expand our audit efforts into the Department\xe2\x80\x99s e-authentication and e-government\n                initiatives during fiscal year 2005.\n\n            i. The agency has appointed a senior agency information security officer that reports\n               directly to the CIO.\n\n                The Department has appointed a CIO to oversee the security program within the\n                Department. Our reviews at the agency level have shown that agencies have identified their\n                own CIO and ISSPM to manage their individual security programs. However, as noted in\n                Finding No. 1 of the Findings and Recommendations section of this report, we have found\n                that agency managers have not always committed to or maintained involvement in their\n                security programs. As a result, the Department and its agencies are not compliant with\n                OMB Circular A-130 and other federally mandated security guidelines.\n\n     Section B: Identification of Significant Deficiencies15\n     B.1.     By bureau, identify all FY 04 significant deficiencies in policies, procedures, or practices required to be reported under\n              existing law. Describe each on a separate row, and identify which are repeated from FY03. In addition, for each significant\n              deficiency, indicate whether a POA&M has been developed. Insert rows as needed.\n                                       Number                                                                                     POA&M\n       Bureau          Total        Repeated from                                                                                developed?\n        Name         Number             FY 0316                Identify and Describe Each Significant Deficiency                  Yes or No\n     AMS                 4               Yes            Inadequate security plans                                                 No\n                                         Yes            Systems not certified and accredited                                      No\n                                         Yes            System scans not performed                                                No\n                                         Yes            Inadequate logical controls                                               No\n\n     APHIS               4               Yes            Systems not certified and accredited                                      No\n                                         Yes            Security awareness training not completed                                 No\n                                         Yes            Inadequate logical controls                                               No\n                                         Yes            System scans not performed                                                No\n\n     CCC                 -                              See FSA below.\n\n     CSREES              8                No            Inadequate risk assessments                                               No\n                                          No            Inadequate security plans                                                 No\n                                                        Inadequate contingency plans and/or no testing of\n                                          No            plan                                                                     Yes\n                                          No            Security awareness training not completed                                No\n\n13\n    Agencies are currently in the process of having their users subscribe to use Gov Online Learning Center (www.golearn.gov), which requires e-\nauthentication.\n14\n   In January and March 2002, the Department issued guidance regarding the use of Public Key Infrastructure (PKI) Technology.\n15\n   All OIG-reported weaknesses are, in our opinion, significant deficiencies.\n16\n   Deficiency repeated from a prior year\xe2\x80\x99s audit but may not have been from fiscal year 2003 review.\n\nUSDA/OIG-A/50501-1-FM                                                                                                                  Page 25\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                                                   Exhibit A \xe2\x80\x93 Page 5 of 15\n\n                                          Number\n                                          Repeated                                                                     POA&M\n          Bureau           Total          from FY                                                                     developed?\n           Name           Number             0317              Identify and Describe Each Significant Deficiency       Yes or No\n       CSREES \xe2\x80\x93\n       Cont\xe2\x80\x99d                                No          Systems not certified and accredited                            Yes\n                                             No          Inadequate physical controls                                    No\n                                             No          Inadequate logical controls                                     No\n                                             No          System scans not performed                                      No\n\n       DA                   10              Yes          Inadequate risk assessments                                     Yes\n                                            Yes          Inadequate security plans                                       No\n                                                         Inadequate contingency plans and/or no testing of\n                                            Yes          plan                                                            Yes\n                                            Yes          Security awareness training not completed                       No\n                                            Yes          Systems not certified and accredited                            No\n                                            No           Background investigations not performed                         No\n                                            Yes          Inadequate physical controls                                    No\n                                            Yes          System scans not performed                                      No\n                                            Yes          Inadequate patch management                                     No\n                                            Yes          Inadequate logical controls                                     No\n\n       FSA                  11              No           Inadequate risk assessments                                     Yes\n                                            Yes          Inadequate security plans                                       Yes\n                                                         Inadequate contingency plans and/or no testing of\n                                            Yes          plan                                                            Yes\n                                            Yes          Security awareness training not completed                       Yes\n                                            No           Systems not certified and accredited                            Yes\n                                            No           Background investigations not performed                         Yes\n                                            Yes          Inadequate physical controls                                    Yes\n                                            Yes          System scans not performed                                      Yes\n                                            Yes          Inadequate patch management                                     Yes\n                                            Yes          Inadequate logical controls                                     Yes\n                                                         Capital asset plans not timely prepared and/or do not\n                                             No          include required elements                                        No\n\n       FSIS                  8              Yes          Inadequate risk assessments                                      No\n                                                         Inadequate contingency plans and/or no testing of\n                                            Yes          plan                                                             No\n                                            Yes          Systems not certified and accredited                             No\n                                            Yes          Inadequate physical controls                                     No\n                                            Yes          Inadequate logical controls                                      No\n                                            No           System scans not performed                                       No\n                                            No           Inadequate patch management                                      No\n                                                         Inadequate system documentation and change\n                                             No          management                                                       No\n\n       FS                    9              Yes          Inadequate risk assessments                                      No\n\n\n17\n     Deficiency repeated from a prior year\xe2\x80\x99s audit but may not have been from fiscal year 2003 review.\n\nUSDA/OIG-A/50501-1-FM                                                                                                              Page 26\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                                                   Exhibit A \xe2\x80\x93 Page 6 of 15\n\n                                       Number                                                                          POA&M\n         Bureau          Total       Repeated from                                                                    developed?\n          Name          Number          FY 0318                Identify and Describe Each Significant Deficiency       Yes or No\n       FS - Cont\xe2\x80\x99d                         Yes           Inadequate security plans                                        No\n                                                         Inadequate contingency plans and/or no testing of\n                                           Yes           plan                                                             No\n                                           Yes           Security awareness training not completed                        No\n                                           Yes           Systems not certified and accredited                             No\n                                           No            Background investigations not performed                          No\n                                           Yes           Inadequate physical controls                                     No\n                                           No            Inadequate patch management                                      No\n                                           Yes           Inadequate logical controls                                      No\n\n       NFC                  3              Yes           Systems not certified and accredited                            Yes\n                                           Yes           Inadequate logical controls                                     No\n                                                         Inadequate system documentation and change\n                                           Yes           management                                                       No\n\n       NITC                 8              No            Inappropriate/Unlicensed software used                           No\n                                           Yes           Inadequate risk assessments                                      No\n                                           Yes           Inadequate security plans                                        No\n                                                         Inadequate contingency plans and/or no testing of\n                                           Yes           plan                                                             No\n                                           Yes           Systems not certified and accredited                             No\n                                           No            System scans not performed                                       No\n                                           Yes           Inadequate logical controls                                      No\n                                                         Inadequate system documentation and change\n                                           Yes           management                                                       No\n\n       NRCS                10              Yes           Inadequate risk assessments                                      No\n                                           Yes           Inadequate security plans                                        No\n                                                         Inadequate contingency plans and/or no testing of                No\n                                           Yes           plan\n                                           No            Systems not certified and accredited                             No\n                                           No            System scans not performed                                       No\n                                           No            Inadequate patch management                                      No\n                                                         Capital asset plans not timely prepared and/or do not\n                                           No            include required elements                                        No\n                                                         Inadequate system documentation and change\n                                           No            management                                                       No\n                                           Yes           Inadequate logical controls                                      No\n                                           Yes           Inadequate physical controls                                     No\n\n                                                         Inadequate contingency plans and/or no testing of\n          RMA               5              Yes           plan                                                             No\n                                           Yes           Security awareness training not completed                        No\n\n\n\n18\n     Deficiency repeated from a prior year\xe2\x80\x99s audit but may not have been from fiscal year 2003 review.\n\nUSDA/OIG-A/50501-1-FM                                                                                                              Page 27\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                                                   Exhibit A \xe2\x80\x93 Page 7 of 15\n\n                                       Number                                                                          POA&M\n          Bureau         Total       Repeated from                                                                    developed?\n           Name         Number          FY 0319                Identify and Describe Each Significant Deficiency       Yes or No\n       RMA -\n       cont\xe2\x80\x99d                              Yes           Inadequate logical controls                                      No\n                                                         Inadequate system documentation and change\n                                           Yes           management                                                       No\n                                           Yes           System scans not performed                                       No\n\n                                        54 (Yes)                                                                       15 (Yes)\n       Totals              80           26 (No)                                                                        65 (No)\n                                      67.5% (Yes)                                                                     19% (Yes)\n                                      32.5% (No)                                                                      81% (No)\n\n\nSection C: OIG Assessment of the POA&M Process\n\nC.1.            Through this question, and in the format provided below, assess whether the agency has\n                developed, implemented, and is managing an agency-wide plan of action and milestone\n                (POA&M) process. This question is for IGs only. Evaluate the degree to which the\n                following statements reflect the status in your agency by choosing from the responses\n                provided in the drop down menu. If appropriate or necessary, include comments in the\n                Comment area provided below.\n\n                a.      Known IT security weaknesses, from all components, are incorporated into the\n                        POA&M.\n\n                        Overall the Department has developed and implemented a process to manage the\n                        Department-wide consolidation and reporting of POA&M weaknesses. However,\n                        agencies are not always supplying all of the information requested by OMB such as the\n                        source of the funds to correct the weakness. We determined that not all known IT\n                        security weaknesses were included in agencies POA&Ms. At the time of our review,\n                        agencies were still completing risk assessments so not all weaknesses identified by\n                        those risk assessments had been reported in the POA&Ms.\n\n                b.      Program officials develop, implement, and manage POA&Ms for systems they own\n                        and operate (systems that support their program or programs) that have an IT\n                        security weakness.\n\n                        The Department and its agencies have not prepared POA&Ms for each of its systems.\n                        We attribute this, in part, to a lack of risk assessments and security plans; therefore, not\n                        all security weaknesses have been identified for reporting purposes. In fiscal year 2004,\n                        the Department implemented a Department-wide initiative to certify and accredit all\n                        major applications and general support systems of which assessing risks is part of this\n                        process. However, the effort is far from complete. (See Finding No. 2.)\n19\n     Deficiency repeated from a prior year\xe2\x80\x99s audit but may not have been from fiscal year 2003 review.\n\nUSDA/OIG-A/50501-1-FM                                                                                                              Page 28\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                  Exhibit A \xe2\x80\x93 Page 8 of 15\n\n     c.    Program officials report to the CIO on a regular basis (at least quarterly) on their\n           remediation progress.\n\n           Our review disclosed that not all agencies report complete POA&M data on a timely\n           basis. The agencies we reviewed did not have controls in place to ensure that POA&M\n           data reported to the Department\xe2\x80\x99s CIO was complete and accurate.\n\n     d.    CIO develops, implements, and manages POA&Ms for every system they own and\n           operate (a system that supports their program or programs) that has an IT\n           security weakness.\n\n           The Department and its agencies have not prepared POA&Ms for each of its systems.\n           We attribute this, in part, to a lack of risk assessments and security plans; therefore, not\n           all security weaknesses have been identified for reporting purposes. In fiscal year 2004,\n           the Department implemented a Department-wide initiative to certify and accredit all\n           major applications and general support systems of which assessing risks is part of this\n           process. However, the effort is far from complete. (See Finding No. 2.)\n\n     e.    CIO centrally tracks, maintains, and reviews POA&M activities on at least a\n           quarterly basis.\n\n           The Department OCIO maintains a tracking system that the agencies use to track all\n           POA&M weaknesses and milestones on a quarterly basis. However, as stated in\n           question C.1.c., not all agencies not have controls in place to ensure that the reported\n           information is complete and accurate.\n\n     f.    The POA&M is the authoritative agency and IG management tool to identify and\n           monitor agency actions for correcting information and IT security weaknesses.\n\n           We do not believe the Department\xe2\x80\x99s centralized tracking system of POA&M\n           weaknesses has matured to the level of being an authoritative agency and IG\n           management tool. Our reviews of agency-prepared POA&Ms have found that not all\n           weaknesses are identified, and that not all of the information required by OMB is\n           properly reported. Therefore, OIG has not relied on POA&Ms as an effective\n           management tool for its reviews.\n\n     g.    System-level POA&Ms are tied directly to the system budget request through the\n           IT business case as required in OMB budget guidance (Circular A-11).\n\n           Not all agencies have prepared POA&Ms for every system, and in many cases, the\n           source of security funds are not captured in POA&M reports. Therefore, we cannot say\n\n\nUSDA/OIG-A/50501-1-FM                                                                           Page 29\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                Exhibit A \xe2\x80\x93 Page 9 of 15\n\n\n\n             with certainty whether all POA&Ms are tied to the system budget request as required by\n             OMB Circular A-11.\n\n      h.     OIG has access to POA&Ms as requested.\n\n             OIG has access to POA&M records.\n\n      i      OIG findings are incorporated into the POA&M process.\n\n             OIG findings are not always incorporated into the POA&M process. Officials at the\n             agencies we reviewed stated that the certification and accreditation process, which is\n             scheduled to be completed September 30, 2004, would eliminate the POA&M weakness\n             identified in OIG\xe2\x80\x99s reports. OIG does not agree with this assessment since many of the\n             weaknesses we identified require long-term solutions that require to be tracked with the\n             POA&M process.\n\n      j.     POA&M process prioritizes IT security weaknesses to help ensure that significant\n             IT security weaknesses are addressed in a timely manner and receive appropriate\n             resources.\n\n             POA&M weaknesses are not prioritized; however, agencies use the POA&Ms to\n             identify milestones accomplished toward meeting the necessary actions to correct the\n             weaknesses.\n\nC.2   OIG Assessment of the Certification and Accreditation Process\n\n      Section C should only be completed by the OIG. OMB is requesting IGs to assess the\n      agency\xe2\x80\x99s certification and accreditation process in order to provide a qualitative\n      assessment of this critical activity. This assessment should consider the quality of the\n      Agency\xe2\x80\x99s certification and accreditation process. Any new certification and accreditation\n      work initiated after completion of NIST Special Publication 800-37 should be consistent\n      with NIST Special Publication 800-37. This includes use of the FIPS 199, \xe2\x80\x9cStandards for\n      Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine\n      an impact level, as well as associated NIST documents used as guidance for completing\n      risk assessments and security plans. Earlier NIST guidance is applicable to any\n      certification and accreditation work completed or initiated before finalization of NIST\n      Special Publication 800-37. Agencies were not expected to use NIST Special Publication\n      800-37 as guidance before it became final.\n\n      At the time of our fieldwork, the agencies we reviewed had not completed system certifications\n      and accreditations on their major applications or general support systems. Agencies officials\n\nUSDA/OIG-A/50501-1-FM                                                                         Page 30\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                   Exhibit A \xe2\x80\x93 Page 10 of 15\n\n       informed us that they are completing the certifications in accordance with the Department\xe2\x80\x99s\n       directives and intend to have this process completed by September 30, 2004. Despite the\n       longstanding requirement by OMB to complete this certification and accreditation process prior\n       to system implementation, the requirement has been largely ignored and not enforced.\n       Department CIO officials have informed us that they are committed to ensuring that the\n       certification and accreditation process is fully implemented into every agency\xe2\x80\x99s system\n       development lifecycle process. (See Finding No. 2.)\n\nSection D\n\nD.1.   First, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E. For\n       D.1.a-f, identify whether agencywide security configuration requirements address each\n       listed application or operating system (Yes, No, or Not Applicable), and then evaluate the\n       degree to which these configurations are implemented on applicable systems. For\n       example: If your agency has a total of 200 systems, and 100 of those systems are running\n       Windows 2000, the universe for evaluation of degree would be 100 systems. If 61 of those\n       100 systems follow configuration requirement policies, and the configuration controls are\n       implemented, the answer would reflect "yes" and "51-70%". If appropriate or\n       necessary, include comments in the Comment area provided below.\n\nD.1.   Has the CIO implemented agencywide policies that require detailed specific security\n       configurations and what is the degree by which the configurations are implemented?\n\n              D.1.a.   Windows XP Professional\n              D.1.b.   Windows NT\n              D.1.c.   Windows 2000 Professional\n              D.1.d.   Windows 2000\n              D.1.e.   Windows 2000 Server\n              D.1.f.   Windows 2003 Server\n              D.1.g.   Solaris\n              D.1.h.   HP-UX\n              D.1.i.   Linux\n              D.1.j.   Cisco Router IOS\n              D.1.k.   Oracle\n              D.1.l.   Other. Specify:\n       OCIO has provided the agencies security assessment guidelines for the Windows , Solaris, HP-\n       UX, and Linux operating systems. In addition, the Department has similar security assessment\n       guidelines for mainframe, classified systems, personal electronic devices (PED),\n       telecommunications, Web Farms, and AS400s. The Department has an ongoing initiative to\n       prepare specific security configuration policies to be used as suggested baselines for each of the\n       above operating environments.\n\n\nUSDA/OIG-A/50501-1-FM                                                                             Page 31\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                Exhibit A \xe2\x80\x93 Page 11 of 15\n\n\n\nD.2.   Answer Yes or No, and then evaluate the degree to which the configuration requirements\n       address the patching of security vulnerabilities. If appropriate or necessary, include\n       comments in the Comment area provided below.\n\n       D.2.   Do the configuration requirements implemented above in D.1.a-f., address\n              patching of security vulnerabilities?\n\n              The OCIO has issued guidance on patch and configuration management and has\n              encouraged agencies to deploy patch management software. However, few agencies\n              have taken advantage of this software to manage patches. During our reviews, we\n              identified system vulnerabilities by performing tests using the scanning product\n              available to all agencies for their use. Our scans identified vulnerabilities that would\n              have been mitigated if agencies had timely applied patches or if agencies would have\n              vigilantly used the Department-provided scanning software to identify and timely\n              mitigate vulnerabilities on their systems.\n\nSection E: Incident Detection and Handling Procedures\n\nE.1.   Evaluate the degree to which the following statements reflect the status at your agency. If\n       appropriate or necessary, include comments in the Comment area provided below.\n\n       a.     The agency follows documented policies and procedures for reporting incidents\n              internally.\n\n              The Department\xe2\x80\x99s OCIO has a comprehensive incident response program in place. It\n              operates effectively at the Department level. The program includes intrusion detection\n              capability on the Department\xe2\x80\x99s backbone network and communication with the United\n              States Computer Emergency Readiness Team and law enforcement authorities.\n              However, we found that the Department\xe2\x80\x99s CIO has not developed an effective tracking\n              system for security incidents to ensure that agencies timely address and report on\n              security incidents. (See Finding No. 5.)\n\n         b.   The agency follows documented policies and procedures for external reporting to\n              law enforcement authorities.\n\n              See response for E.1.a. above.\n\n         c.   The agency follows defined procedures for reporting to the United States\n              Computer Emergency Readiness Team (US-CERT).\n\n              See response for E.1.a. above.\n\n\nUSDA/OIG-A/50501-1-FM                                                                          Page 32\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                                                          Exhibit A \xe2\x80\x93 Page 12 of 15\n\nE.2. Incident Detection Capabilities.\n\n             a.       How many systems underwent vulnerability scans and penetration tests in FY04?\n\n                      At 11 of the 1220 agencies we reviewed, the agencies had failed to establish effective\n                      controls to timely identify and mitigate vulnerabilities on their systems as required by\n                      Department policy. In 2001, the Department, based on our audit results, purchased a\n                      Department-wide license for a commercially available vulnerability scanning software\n                      tool. The tool identifies vulnerabilities exploitable in operating systems that use\n                      TCP/IP, the protocol used on the global Internet, and categorizes vulnerabilities into\n                      high, medium, and low risk.21 Some agencies we reviewed scanned their systems once\n                      every few months but not on a consistent basis, other agencies scanned their systems\n                      using one of the software\xe2\x80\x99s built-in policies that does not identify all known\n                      vulnerabilities that can be exploited by attackers, and other agencies failed to scan\n                      critical components of their networks such as their routers and firewalls. (See Finding\n                      No. 3.)\n\n             b.       Specifically, what tools, techniques, technologies, etc., does the agency use to\n                      mitigate IT security risk?\n\n                      Agencies have sporadically employed various tools, techniques, and technologies to\n                      mitigate IT security risks including ISS Internet Scanner, Bindview, Nessus, Patch\n                      Link, Microsoft Baseline Analyzer, McAfee Virus Protection Software, and Symantec\n                      AntiVirus.\n\n\n\n\n20\n  One agency had established effective controls over its own scanning process.\n21\n   High-risk vulnerabilities are security issues that allow immediate remote or local access, or immediate execution of code or commands with\nunauthorized privileges. Medium-risk vulnerabilities are security issues that have the potential of granting access or allowing code execution by means of\ncomplex or lengthy exploit procedures. Low-risk vulnerabilities are security issues that deny service or provide non-system information that could be used\nto formulate structured attacks on a target, but not directly gain unauthorized access.\n\nUSDA/OIG-A/50501-1-FM                                                                                                                         Page 33\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                                                                         Exhibit A \xe2\x80\x93 Page 13 of 15\n\n\n\n     Section F: Incident Reporting and Analysis\n     F.1. For each category of incident listed: identify the total number of successful incidents\n           in FY04, the number of incidents reported to US-CERT, and the number reported to\n           law enforcement. If your agency considers another category of incident type to be\n           high priority, include this information in category VII, "Other". If appropriate or\n           necessary, include comments in the Comment area provided below.\n     F.2. Identify the number of systems affected by each category of incident in FY04. If\n          appropriate or necessary, include comments in the Comment area provided below.\n                                                                                                                                        F.2.c.\n                                                                                                                                    How many\n                                                                                                                                     successful\n                                                                                                     F.2.a.         F.2.b.            incidents\n                                                                                                    Systems       Systems23        occurred for\n                                                                                  F.1.c.             with          without             known\n                                                F.1.a.           F.1.b.        Reported to         Complete       complete       vulnerabilities for\n                                              Reported        Reported to          Law             and up to      and up to      which a patch was\n                                              Internally       FedCIRC         Enforcement        date C&A22      date C&A           available?\n      I. Root Compromise                               39               28                  3               0           162                        9\n     II. User Compromise                               45                9                  9               0            44                        0\n     III. Denial of Service Attack                      2                1                  0               0             4                        1\n     IV.Website Defacement                              1                1                  0               0             1                        0\n      V. Detection of Malicious Code                   10                5                  1               1            10                        4\n     VI. Successful Virus/Worm\n     Introduction                                     79                53                  1               0           525                      55\n     VII. Other                                        3                 0                  1               0             3                       0\n                                 Totals:             179                97                 15               1           749                      69\n     Incidents reported from October 1, 2003 through August 20, 2004.\n\n\nSection G: Training\n\n G.1. Has the agency CIO ensured security training and awareness of all employees, including\n      contractors and those employees with significant IT security responsibilities?       If\n      appropriate or necessary, include comments in the Comment area provided below.\n\n            a.         Total number of employees in FY04\n\n                       As of August 29, 2004, the Department has 116,603 employees.24 The Department\n                       does not have a central database of all contractors. Therefore, an accurate count of\n                       contractors is not available.\n\n22\n   To determine if the system was certified and accredited, OIG determined if the agencies\xe2\x80\x99 local area networks were certified and accredited.\n23\n   These numbers represent the number of IP addresses reported as being affected by the incident. Because the incident is reported by IP address, OIG was\nnot able to identify the systems.\n24\n   Based on National Finance Center (NFC) payroll system data.\n\nUSDA/OIG-A/50501-1-FM                                                                                                                        Page 34\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                               Exhibit A \xe2\x80\x93 Page 14 of 15\n\n     b.    Employees that received IT security awareness training in FY04, as described in\n           NIST Special Publication 800-50.\n\n           Agencies we reviewed had processes and resources in place to provide its employees\n           with security awareness training, and that system and network administrators have a\n           means to acquire specialized training relating to their responsibilities; however,\n           agencies had not established adequate controls to ensure all employees received the\n           necessary training. In one agency, OIG found that almost all employees had received\n           security awareness training. However, in another agency only about 51 percent of the\n           employees took security awareness training, and the agency could not provide an up to\n           date listing of contractors, contractor training, or contractor background checks because\n           no controls had been put into place to track these individuals. The OCIO annually\n           reports on compliance with the Federal Information Security Management Act\n           (FISMA) as of September 30 and, in some cases such as computer security awareness\n           training and system certification and accreditation, completes, or documents the\n           completion, of a significant amount of the required actions in the month of September.\n           As such, the Department and its agencies may have implemented controls or completed\n           corrective actions that, due to the timing of our fieldwork, may not be reflected in this\n           report.\n\n     c.   Total number of employees with significant IT security responsibilities.\n\n          Not all agencies have established controls to ensure that all employees with significant IT\n          security responsibilities are provided training related to those responsibilities. Based on\n          our FISMA review at three USDA agencies, one agency had not identified employees\n          with significant IT responsibilities. For the other two agencies, there are 501 employees\n          with significant responsibilities. We found that only 165 of the 501 received specialized\n          training. These three agencies have a total of 36,112 employees.\n\n     d.   Employees with significant security responsibilities that received specialized\n          training, as described in NIST Special Publications 800-50 and 800-16\n\n          See G.1.c. response above.\n\n     e.   Briefly describe training provided.\n\n          The reviews we conducted showed that OCIO and agencies had various training\n          initiatives. Provided and/or planned training included:\n\n           \xe2\x80\xa2   Certification and accreditation training,\n           \xe2\x80\xa2   Responsibilities of agency Information System Security Program Managers\n               (ISSPMs),\n\nUSDA/OIG-A/50501-1-FM                                                                         Page 35\n\x0cExhibit A \xe2\x80\x93 OMB Reporting Requirements and OIG Position\n                                                                              Exhibit A \xe2\x80\x93 Page 15 of 15\n\n\n            \xe2\x80\xa2   General Security Awareness,\n            \xe2\x80\xa2   USDA Security Awareness course (available August 4, 2004),\n            \xe2\x80\xa2   Securing Local Area Networks,\n            \xe2\x80\xa2   Managing Network Security,\n            \xe2\x80\xa2   Identifying Viruses,\n            \xe2\x80\xa2   Fundamentals of Internet Security, and\n            \xe2\x80\xa2   An Executive Briefing Handbook for Senior Executives that includes rules,\n                regulations, references, and executive briefing training material.\n\n     f.     Total costs for providing IT security training in FY04 (in $\'s)\n\n            This information is not readily available for all agencies. For the three agencies we\n            reviewed, one agency had not determined these costs. For the other two agencies,\n            $222,000 was spent on IT security training to its employees.\n\n G.2. Does the agency explain policies regarding peer-to-peer file sharing in IT security\n      awareness training, ethics training, or any other agency wide training?\n\n     Our reviews focus on whether or not agencies have controls in place to provide security\n     awareness training to all employees, and whether those with significant IT security\n     responsibilies are provided specialized training. Our reviews, up to now, have not included a\n     comprehensive review of the content of the security training offered or provided by each\n     agency.\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                                                        Page 36\n\x0cExhibit B \xe2\x80\x93 OCIO\xe2\x80\x99s Response to the Draft Report\n                                                  Exhibit B \xe2\x80\x93 Page 1 of 5\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                          Page 37\n\x0cExhibit B \xe2\x80\x93 OCIO\xe2\x80\x99s Response to the Draft Report\n                                                  Exhibit B \xe2\x80\x93 Page 2 of 5\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                          Page 38\n\x0cExhibit B \xe2\x80\x93 OCIO\xe2\x80\x99s Response to the Draft Report\n                                                  Exhibit B \xe2\x80\x93 Page 3 of 5\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                          Page 39\n\x0cExhibit B \xe2\x80\x93 OCIO\xe2\x80\x99s Response to the Draft Report\n                                                  Exhibit B \xe2\x80\x93 Page 4 of 5\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                          Page 40\n\x0cExhibit B \xe2\x80\x93 OCIO\xe2\x80\x99s Response to the Draft Report\n                                                  Exhibit B \xe2\x80\x93 Page 5 of 5\n\n\n\n\nUSDA/OIG-A/50501-1-FM                                          Page 41\n\x0c'